Rapid7 Vulnerability & Exploit Database

pfSense: pfSense-SA-14_16.webgui: Multiple XSS Vulnerabilities in the pfSense WebGUI

Back to Search

pfSense: pfSense-SA-14_16.webgui: Multiple XSS Vulnerabilities in the pfSense WebGUI

Severity
4
CVSS
(AV:L/AC:M/Au:N/C:P/I:P/A:P)
Published
08/08/2014
Created
07/25/2018
Added
08/25/2017
Modified
03/27/2020

Description

Multiple Persistent Cross-Site Scripting (XSS) vulnerabilities were discovered in the pfSense WebGUI during a security audit. * Persistent XSS in firewall_aliases_edit.php * Persistent XSS in firewall_virtual_ip_edit.php / services_ntpd.php + interfaces_gre_edit.php and interfaces_gif_edit.php Due to the lack of proper encoding on the affected variables and pages, arbitrary JavaScript can be executed in the user's browser. The user's session cookie or other information from the session may be compromised. Characters sent via POST in the "detail" variable on firewall_aliases_edit.php are not properly encoded and the value is saved in the firewall configuration. The "descr" parameter for a Virtual IP address on firewall_virtual_ip_edit.php script is not properly validated or sanitized before display on certain pages and its value is stored in the firewall configuration.

Solution(s)

  • pfsense-upgrade-latest

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;